fix: Insufficient verification of data authenticity classic builder cache poisoning

[imhunterand]

Summary

The project brave-intl/bat-go was used classic builder cache system is prone to cache poisoning if the image is built FROM scratch. Also, changes to some instructions (most important being HEALTHCHECK and ONBUILD) would not cause a cache miss. An attacker with the knowledge of the Dockerfile someone is using could poison their cache by making them pull a specially crafted image that would be considered as a valid cache candidate for some build steps. 23.0+ users are only affected if they explicitly opted out of Buildkit (DOCKER_BUILDKIT=0 environment variable) or are using the /build API endpoint.

Type of Change

• [ ] Product feature
• [x] Bug fix
• [ ] Performance improvement
• [ ] Refactor
• [ ] Other

Tested Environments

• [x] Development
• [ ] Staging
• [ ] Production

Before Requesting Review

• [x] Does your code build cleanly without any errors or warnings?
• [ ] Have you used auto closing keywords?
• [x] Have you added tests for new functionality?
• [ ] Have validated query efficiency for new database queries?
• [ ] Have documented new functionality in README or in comments?
• [ ] Have you squashed all intermediate commits?
• [x] Is there a clear title that explains what the PR does?
• [ ] Have you used intuitive function, variable and other naming?
• [x] Have you requested security and/or privacy review if needed
• [ ] Have you performed a self review of this PR?

Manual Test Plan

[pavelbrm]

This project does not use the library's code directly. Closing for now. Thanks.